The SFRs meet the Security Objectives for the TOE

8. RATIONALE

8.2 S ECURITY R EQUIREMENTS R ATIONALE

8.2.1 The SFRs meet the Security Objectives for the TOE

For each Security Objective for the TOE we demonstrate that it is met by the SFRs as shown in the table below supported by the following rationals.

FDPACC1. FDPACF.1 FIAUID.1 FIAUAU.1 FDPRIP.1 FIAUID.2 FIAUAU.2 FMTMOF.1 FMTMSA.1 FMTMSA.3 FMTSMF.1 FMTSMR.1 FPTSEP.1 FPTRVM.1 FPTTST.1

O.F.INBOUND_FILTER X X X X X X O.F.OUTBOUND_FILTER X X X X X X

O.F.JOB_RELEASE X X X X

O.F.JOB_SHREAD X X X

O.F.AUTHENTICATE X X X X X X X

O.F.SELFTEST X X X

The individual rationales demonstrating the objectives are met are described as follows:

O.F.INBOUND_FILTER

FDP_ACC.1 Subset access control

Inbound traffic is filtered so that only traffic relating to the operation of the TOE is allowed to enter the TOE. This SFR supports the security objective by restricting the TOE data flow to only that that is necessary for the operation of the TOE. This reduces the number of vulnerable entry points.

FDP_ACF.1 Security attribute based access control

All ports that are not necessary for the operation of the TOE as described in this document are blocked. This SFR supports the security objective by reducing the number of entry points that could be vulnerable to attack.

FMT_MSA.1 Management of security attributes

The TOE is delivered pre-configured to the customer. This SFR supports the objective by ensuring that it is not possible for any user (including

S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN) to change the settings of the firewall mechanism.

FMT_MSA.3 Static Attribute initialisation

In order to change the security attributes of the TOE the management interfaces provided for S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN must be used. This SFR supports the objective by ensuring that the TOE provides restrictive default security related settings that require no additional modification by

SERVICE_ENGINEER or S.REMOTE_SYSADMIN. Nobody is allowed to create new settings with alternative values.

FPT_SEP.1 TSF domain separation

Filtering of network traffic occurs is an area of the TOE that is separate to non-TSF related operation. This SFR supports the objective by ensuring that the filtering mechanism is protected by it not being exposed to non TSF mechanisms from which a possible attack could be made.

FPT_RVM.1 Non-bypassability of the TSP

In order for data to enter or leave the TOE it must pass through the filtering mechanism. This SFR supports the security objective by ensuring that TSF cannot be bypassed, resulting in a direct line between the Digital Copier and the network to which the TOE is attached being created.

O.F.OUTBOUND_FILTER FDP_ACC.1 Subset access control

Outbound traffic is filtered so that only traffic relating to the operation of the TOE is allowed to leave the TOE. This SFR supports the security objective by restricting the TOE data flow to only that that is necessary for the operation of the TOE.

FDP_ACF.1 Security attribute based access control

All ports that are not necessary for the operation of the TOE as described in this document are blocked. This SFR supports the security objective by reducing the number of exit points through which an attack could be launched.

FMT_MSA.1 Management of security attributes

The TOE is delivered pre-configured to the customer. This SFR supports the objective by ensuring that it is not possible for any user (including

S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN) to change the settings of the firewall mechanism.

FMT_MSA.3 Static Attribute initialisation

SERVICE_ENGINEER or S.REMOTE_SYSADMIN. Nobody is allowed to create new settings with alternative values.

FPT_RVM.1 Non-bypassability of the TSP

FPT_SEP.1 TSF domain separation

Filtering of network traffic occurs is an area of the TOE that is separate to non-TSF related operation. This SFR supports the objective by ensuring that the filtering mechanism is protected by it not being exposed to other non-TSF mechanisms from which a possible attack could be made.

O.F.JOB_RELEASE

FIA_UID.1 Timing of identification (Secure Printing)

Printing will only commence once the TSF has validated the Username associated with the job by S.LOCAL_USER. The TSF receives the Username via the

DAC/DC interface. This SFR supports the security objective by requiring the S.LOCAL_USER to identify himself as part of the job release process.

FIA_UAU.1 Timing of authentication

Printing will only commence once the TSF has validated the PIN associated with the job by S.LOCAL_USER. The TSF receives the PIN via the DAC/DC interface.

This SFR supports the security objective by requiring the S.LOCAL_USER to authenticate himself as part of the job release process.

FPT_RVM.1 Non-bypassability of the TSP

Print jobs cannot be processed by any other mechanism than by the specified mechanism. This SFR supports the objective by ensuring that no other mechanisms can access the print job data.

FPT_SEP.1 TSF domain separation

Management of print jobs occurs in an area of the TOE that is separate to non-TSF related operation. This SFR supports the objective by ensuring that the job release mechanism is protected by it not being exposed to other non-TSF mechanisms from which a possible attack could be made.

O.F.JOB_SHRED

FDP_RIP.1 Subset residual; information protection

This SFR supports the objective by ensuring that once a print or scan job has completed, or if during the startup procedure, residual print or scan job data is found then the related data will be electronically shredded from the hard disk. The SFR has been refined to describe the moment when the data will be shredded.

FPT_RVM.1 Non-bypassability of the TSP

Print and scan jobs must pass through the shredding mechanism. This SFR supports the objective by ensuring that print and scan jobs cannot leave the TOE except in the authorised manner.

FPT_SEP.1 TSF domain separation

Shredding occurs is an area of the TOE that is separate to non-TSF related operation. This SFR supports the objective by ensuring that the shredding mechanism is protected by it not being exposed to other non TSF-mechanisms from which a possible attack could be made.

O.F.AUTHENTICATE

FIA_UID.2 User identification before any action

S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER must identify themselves to the TOE before any TOE management actions can be performed.

FIA_UAU.2 User authentication before any action

S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER must authenticate themselves to the TOE before any TOE management actions can be performed.

FMT_SMF.1 Specification of Management Functions

The functions that can be performed by either the S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER are defined.

FMT_MOF.1 Management of security functions behaviour

Only TOE administrators and Océ technicians can use security related functions.

FMT_SMR.1 Security roles

The TOE shall make a distinction between administrators and ordinary users.

FPT_RVM.1 Non-bypassability of the TSP

Users other than S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER cannot gain access to security management functions of the TOE without begin first controlled by the mechanisms specified in this document.

FPT_SEP.1 TSF domain separation

Identification and authentication of users occurs in an area of the TOE that is separate to non-security related operation.

O.F.SELFTTEST FPT_TST.1 TSF Testing

When the TOE is started up, it will perform a suite of self tests and determine that it is working correctly. If it determines that there is a problem it will try to repair itself. If this fails it will place itself in an ‘out-of order’ mode

FPT_RVM.1 Non-bypassability of the TSP

The self-test mechanism cannot be bypassed.

FPT_SEP.1 TSF domain separation

Self-testing of the TOE occurs in an area of the TOE that is separate to non-TSF related operation.

8.2.2 The security requirements for the IT environment meet the security

In document Océ Technologies B.V. Oce Venlo DAC Security Target 3.0.doc (Page 45-49)